Jan 292018
 

I have several old devices. Upgrading them is either impossible, they are unsupported, or I can’t be bothered upgrading the. Access is only via a dedicated VLAN within my home network.

When stuck, I posted to Twitter and that led me to OpenSSH Legacy Options. This page describes what to do when OpenSSH refuses to connect with an implementation that only supports legacy algorithms.

Here’s what I just tried:

$ ssh pdu1
Unable to negotiate with 10.52.0.2 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1


$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 pdu1
Unable to negotiate with 10.52.0.2 port 22: no matching cipher found. Their offer: 3des-cbc,blowfish-cbc


$ ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com


$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc pdu1
ssh_dispatch_run_fatal: Connection to 10.52.0.2 port 22: Invalid key length


$ ssh-add -D
All identities removed.


$ ssh -a -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc pdu1
ssh_dispatch_run_fatal: Connection to 10.52.0.2 port 22: Invalid key length

$ ssh-add -l
The agent has no identities.

Let’s try verbose:

$ ssh -vvvv -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc pdu1
OpenSSH_7.6p1, LibreSSL 2.6.2
debug1: Reading configuration data /Users/dan/.ssh/config
debug1: /Users/dan/.ssh/config line 5: Applying options for *
debug1: /Users/dan/.ssh/config line 168: Applying options for pdu1
debug3: kex names ok: [diffie-hellman-group1-sha1]
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to pdu1.int.unixathome.org port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /Users/dan/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/dan/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/dan/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/dan/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/dan/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/dan/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/dan/.ssh/id_ed25519 type 3
debug1: key_load_public: No such file or directory
debug1: identity file /Users/dan/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6
debug1: Remote protocol version 2.0, remote software version cryptlib
debug1: no match: cryptlib
debug3: fd 5 is O_NONBLOCK
debug1: Authenticating to pdu1.int.unixathome.org:22 as 'dvl'
debug3: hostkeys_foreach: reading file "/Users/dan/.ssh/known_hosts"
debug1: /Users/dan/.ssh/known_hosts:400: parse error in hostkeys file
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: 3des-cbc
debug2: ciphers stoc: 3des-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: 3des-cbc,blowfish-cbc
debug2: ciphers stoc: 3des-cbc,blowfish-cbc
debug2: MACs ctos: hmac-sha1,hmac-md5
debug2: MACs stoc: hmac-sha1,hmac-md5
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: diffie-hellman-group1-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: 3des-cbc MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: 3des-cbc MAC: hmac-sha1 compression: none
debug1: sending SSH2_MSG_KEXDH_INIT
debug2: bits set: 510/1024
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug3: receive packet: type 31
ssh_dispatch_run_fatal: Connection to 10.52.0.2 port 22: Invalid key length

The above was from OSX 10.13.3 (17D47). Let’s try from FreeBSD.

FreeBSD

In this attempt, I had to specify the user on the connection. On my laptop, that was covered by my ~/.ssh/config file.

[dan@slocum:~] $ ssh -vvvv -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc dvl@pdu1
OpenSSH_7.2p2, OpenSSL 1.0.2k-freebsd  26 Jan 2017
debug1: Reading configuration data /usr/home/dan/.ssh/config
debug3: kex names ok: [diffie-hellman-group1-sha1]
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 53: Deprecated option "useroaming"
debug2: resolving "pdu1.int.unixathome.org" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to pdu1.int.unixathome.org [10.52.0.2] port 22.
debug1: Connection established.
debug1: identity file /usr/home/dan/.ssh/id_rsa type 1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /usr/home/dan/.ssh/id_rsa-cert type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /usr/home/dan/.ssh/id_dsa type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /usr/home/dan/.ssh/id_dsa-cert type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /usr/home/dan/.ssh/id_ecdsa type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /usr/home/dan/.ssh/id_ecdsa-cert type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /usr/home/dan/.ssh/id_ed25519 type -1
debug1: Fssh_key_load_public: No such file or directory
debug1: identity file /usr/home/dan/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2 FreeBSD-20161230
debug1: Remote protocol version 2.0, remote software version cryptlib
debug1: no match: cryptlib
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to pdu1.int.unixathome.org:22 as 'dvl'
debug3: Fssh_hostkeys_foreach: reading file "/usr/home/dan/.ssh/known_hosts"
debug3: Fssh_record_hostkey: found key type RSA in file /usr/home/dan/.ssh/known_hosts:306
debug3: Fssh_load_hostkeys: loaded 1 keys from pdu1.int.unixathome.org
debug3: Fssh_hostkeys_foreach: reading file "/usr/home/dan/.ssh/known_hosts2"
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: ciphers ctos: 3des-cbc
debug2: ciphers stoc: 3des-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: 3des-cbc,blowfish-cbc
debug2: ciphers stoc: 3des-cbc,blowfish-cbc
debug2: MACs ctos: hmac-sha1,hmac-md5
debug2: MACs stoc: hmac-sha1,hmac-md5
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: diffie-hellman-group1-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: 3des-cbc MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: 3des-cbc MAC: hmac-sha1 compression: none
debug1: sending SSH2_MSG_KEXDH_INIT
debug2: bits set: 523/1024
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:hPsoJNLzAZ+7LpBnPQFMcWEJtsovKc+uJm+0utUmyfw
debug3: verify_host_key_dns
DNS lookup error: general failure
debug3: Fssh_hostkeys_foreach: reading file "/usr/home/dan/.ssh/known_hosts"
debug3: Fssh_record_hostkey: found key type RSA in file /usr/home/dan/.ssh/known_hosts:306
debug3: Fssh_load_hostkeys: loaded 1 keys from pdu1.int.unixathome.org
debug3: Fssh_hostkeys_foreach: reading file "/usr/home/dan/.ssh/known_hosts2"
debug1: Host 'pdu1.int.unixathome.org' is known and matches the RSA host key.
debug1: Found key in /usr/home/dan/.ssh/known_hosts:306
debug2: bits set: 529/1024
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug2: key: /usr/home/dan/.ssh/id_rsa (0x80208e200)
debug2: key: /usr/home/dan/.ssh/id_dsa (0x0)
debug2: key: /usr/home/dan/.ssh/id_ecdsa (0x0)
debug2: key: /usr/home/dan/.ssh/id_ed25519 (0x0)
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
Authenticated with partial success.
debug2: key: /usr/home/dan/.ssh/id_rsa (0x0)
debug2: key: /usr/home/dan/.ssh/id_dsa (0x0)
debug2: key: /usr/home/dan/.ssh/id_ecdsa (0x0)
debug2: key: /usr/home/dan/.ssh/id_ed25519 (0x0)
debug1: Authentications that can continue: password
debug3: start over, passed a different list password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup password
debug3: remaining preferred: ,keyboard-interactive,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
dvl@pdu1.int.unixathome.org's password: 
'debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 52
debug1: Authentication succeeded (password).
Authenticated to pdu1.int.unixathome.org ([10.52.0.2]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 91
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: Fssh_ssh_packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: callback done
debug2: channel 0: open confirm rwindow 8192 rmax 1024
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0



American Power Conversion               Network Management Card AOS      v2.6.4
(c) Copyright 2004 All Rights Reserved  Rack PDU APP                     v2.6.5
-------------------------------------------------------------------------------
Name      : pdu1                                      Date : 01/30/2018
Contact   : Dan Langille                              Time : 01:15:12
Location  : rack01 bottom                             User : Administrator
Up Time   : 2 Days 8 Hours 10 Minutes                 Stat : P+ N+ A+

Switched Rack PDU: Communication Established

------- Control Console -------------------------------------------------------

     1- Device Manager
     2- Network
     3- System
     4- Logout

     <ESC>- Main Menu, <ENTER>- Refresh, <CTRL-L>- Event Log
>

SUCCESS!

Proxy host

As I type this, I’m tired and I don’t want to pursue this next idea. Proxy tunnels.

Have a read of this and let me know: Creating a transparent SSH tunnel through a bastion host.

I am sure that by using the above idea, I can ssh from my laptop through the bastion host, and get onto that PDU.

The rest is left as an exercise for the reader. Please post in the comments. Thank you.

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive

  One Response to “Connecting to old devices via ssh”

  1. Putting this into ~/.ssh/config on the bastion host:

    Host pdu1 pdu1.int pdu1.int.unixathome.org
      user dvl
      KexAlgorithms diffie-hellman-group1-sha1
      Cipher 3des-cbc

    gives a good result:

    $ ssh pdu1
    Authenticated with partial success.
    dvl@pdu1.int.unixathome.org's password: